Securely store personal files — without FileVault

© 2006 Lawrence I. Charters

Washington Apple Pi Journal, Vol. 28, no. 3, May-June 2006, pp. 11-13.

Use a Mac for more than a few weeks and you’ll discover it quickly accumulates vast amounts of personal information. It might hold your checkbook, your income tax information, health records, credit card information, warranty information, address books, genealogy records, and countless other bits and pieces of highly personal data. Generally speaking, you want this data handy for your needs – and completely unavailable to anyone else.

The Mac offers a powerful tool for the paranoid in Mac OS X 10.4: FileVault. With just a few clicks and a good password, your computer’s hard drive is encrypted. If someone steals your laptop or, somewhat less likely, your desktop Mac, they won’t be able to recover anything from the hard drive.

Unfortunately, FileVault also has a dark side: if you have problems with your hard drive, FileVault may prevent you from recovering your own data. Since FileVault encrypts the data, and since drive recovery tools can’t break into FileVault, minor problems with your drive can escalate into major data losses.

If you use a Mac at work, you will probably find your employer prohibits the use of FileVault. Generally speaking, employers consider the computers to be, well, theirs, and don’t appreciate employees encrypting them.

Important disclaimer: the author has nothing against FileVault. FileVault is a wonderful piece of technology, without doubt, the best operating-system-level encryption tool ever released in a consumer operating system. Most operating systems would kill for a secure storage technology as cool as FileVault. Etc.

But the Mac has another very powerful tool for the paranoid: Disk Utility. Most users know Disk Utility as the magical application that can verify hard drives, repair permissions, format new disk drives, and make copies of CD-ROMs and DVDs. Yet it can do more: Disk Utility can make portable password-protected disk images.

Portable, password-protected disk images have some wonderful advantages. Until you open the image, the disk image is just a file on your hard drive. If someone gains access to your computer, or, worse, steals your computer, the image looks like just a single file. The intruder has no idea what the file might be, and, without the password, they have no way to open it up.

Depending on size, you can E-mail the disk image to yourself, copy it to a CD-ROM or DVD, copy it to a flash drive, or copy it to a file server. If you have a .mac account, you can copy it to an obscure location on your .mac drive, then reach it remotely from almost anywhere in the world.

Figure 1: Navigate the nested menus in Disk Utility to select New > Blank Disk Image…
Figure 1: Navigate the nested menus in Disk Utility to select New > Blank Disk Image…

So how do you make a portable, password-protected disk image?

  • Launch Disk Utility. Disk Utility resides in the Mac OS X Utilities folder;
  • From the File menu, select New > Blank Disk Image (see Figure 1);
  • You will be prompted for a disk image name and a place to store it. Give it a name so common and boring that it won’t draw any attention, such as the hopelessly ambiguous “stuff,” and select the Desktop as the place to store it;
  • For Size, for our demonstration we’ll leave it at the default 40 MB;
  • For Encryption, select AES-128. Translated into English, this means, “really mean, nasty encryption, suitable for storing all but the most sensitive Cold War secrets;”
  • For Format, select read/write disk image.
  • Once you’ve selected all the options, press the Create button (see Figure 2);
  • After a couple of seconds, you will be prompted to give the file a password. It is important to come up with a password that is easy for you to remember, but impossible for anyone else to guess, so try for a word or phrase that is at least ten or more characters long. For this example, try:
 secret cold war files

and retype it to verify it (see Figure 3);

  • Uncheck the “Remember password (add to Keychain)” checkbox. Why? Because someone with access to your computer could gain access to your Keychain, too.
  • Quit Disk Utility.
Figure 2: You can name the image something besides “stuff,” you can save it somewhere other than the Desktop, and you can make it almost any size you want. But be sure and select AES-128 Encryption and be sure and make the image read/write.
Figure 2: You can name the image something besides “stuff,” you can save it somewhere other than the Desktop, and you can make it almost any size you want. But be sure and select AES-128 Encryption and be sure and make the image read/write.
Figure 3: Most people waste much effort trying to come up with memorable short passwords. It is almost always easier to come up with a memorable pass phrase. These might involve more typing, but they are easier to remember – and far more secure as well.
Figure 3: Most people waste much effort trying to come up with memorable short passwords. It is almost always easier to come up with a memorable pass phrase. These might involve more typing, but they are easier to remember – and far more secure as well.

You should end up with a file called stuff.dmg on your Desktop, and an icon that looks like a floppy disk drive called “stuff” (see Figure 4). If you open up the “stuff” image, you should find you have about 31 megabytes of space for your income tax returns, property records, embarrassing high school photos and other things you’d like to keep, but keep to yourself. When you are done copying things to your “stuff” drive, eject it by dragging it to the trash or right-clicking on it and selecting Eject. You will still have the stuff.dmg file on your desktop.

Figure 4: An encrypted disk image (on the right) doesn’t look any different than any other disk image. But if you don’t know the password, you can’t mount it and use it.
Figure 4: An encrypted disk image (on the right) doesn’t look any different than any other disk image. But if you don’t know the password, you can’t mount it and use it.

You can now copy this encrypted image wherever you need it. If you want to add more information to it, or access something in it, just double-click on stuff.dmg and you’ll be prompted for the password or passphrase.

If you find that 40 megabytes aren’t enough, use Disk Utility to create a bigger image. Disk Utility will allow you to create disk images in the multi-terabyte range, though Washington Apple Pi has never been able to verify this capability. (Please contact maceditor@wap.org if you’d like to donate an Xserve RAID to Washington Apple Pi.)

Some suggestions on managing your new, portable encrypted disk image:

  • When you back it up, color the original using the Finder color labels. That way, you can know at a glance if stuff.dmg has been backed up. Obviously, if you copy new things to it, you need to un-color it until it is backed up again;
  • If you store a copy on .mac, you might wish to append a date to the file name, so you know when you put it there. Write the date in the form of year, month, day, as in: stuff060415.img, for April 15, 2006. That way you’ll know when that particular copy of your image was created. Why year, month day? Because it will list properly when files are shown in alphabetical order;
  • Carrying a copy of the encrypted image on a keychain flash drive is very handy. If your encrypted image won’t fit on a flash drive, buy a bigger flash drive.

The nicest thing about such password-protected images is: they are free. All you need is a Mac and Disk Utility. You don’t have to buy anything extra, you don’t have to add anything to your Mac, you don’t have to use exotic hardware. There is no lengthy manual to read, you don’t need to know a thing about encryption or cryptography or even what AES-128 means.

It may not be as cool as a super-charged Aston-Martin sports car. But if James Bond used a Mac for storing his secrets, he’d stop getting captured by the bad guys: his secrets would be safe. And the gas bills are lower, too.